Rate limits protect the platform - and your tenant’s neighbors - from runaway scripts and hot loops. Limits are applied per API key , so splitting traffic across keys per-service gives you headroom.
Default limits Environment Requests per second (per key) Burst Test 30 60 Live (standard) 100 200 Live (scale plan) 1,000 2,000
Some endpoints have tighter limits because they mint short-lived session material or fan out into heavier background work:
Endpoint Limit Reason POST /kyc/onfido10 / sec Verification session creation is intentionally throttled POST /tenants/add-user-bulk5 / sec Bulk jobs are throttled; each job itself handles up to 10,000 users
Every response includes:
Header Meaning X-RateLimit-LimitQuota for this key. X-RateLimit-RemainingRequests left in the current window. X-RateLimit-ResetUnix timestamp when the window resets. Retry-AfterSeconds to wait before retrying (on 429 only).
Handling 429 When you get a 429 rate_limit_exceeded, back off:
Node.js (fetch)
Python (requests)
async function withRetry ( req : () => Promise < Response >, max = 5 ): Promise < Response > { for ( let i = 0 ; i < max ; i ++) { const res = await req (); if ( res . status !== 429 ) return res ; const retryAfter = Number ( res . headers . get ( "retry-after" ) ?? 2 ** i ); await new Promise (( r ) => setTimeout ( r , retryAfter * 1000 )); } throw new Error ( "Exceeded retries" ); }
Wrap every outbound call in this helper once, and you won’t have to think about rate limits again.
Need more? If you’re legitimately hitting the ceiling, contact sales - we raise limits for growing workloads, often same-day. 
